Can't ping macvlan container from its host

LXD
1

I added macvlan eth0 interface, and it works for the container itself, it got dhcp address from my router and it can reach the internet. Also, I can ping the container from the router. But I can’t ping container from the host itself…

marduk pts/3#lxc config show xoce
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Debian bullseye amd64 (20230613_06:02)
  image.os: Debian
  image.release: bullseye
  image.serial: "20230613_06:02"
  image.type: squashfs
  image.variant: default
  security.privileged: "true"
  volatile.base_image: a2534c4b58819fd29375567a9d5aa3b441d2b4a686cc1c8ee1ebed65e9e69229
  volatile.cloud-init.instance-id: 3273ade1-e1a7-4b21-ad50-ef7b23866cd0
  volatile.eth0.host_name: macb63cd22a
  volatile.eth0.hwaddr: 00:16:3e:98:07:9f
  volatile.eth0.last_state.created: "false"
  volatile.idmap.base: "0"
  volatile.idmap.current: '[]'
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.last_state.ready: "false"
  volatile.uuid: 64171fc3-acfa-4f1b-9e58-7aff85885bd9
  volatile.uuid.generation: 64171fc3-acfa-4f1b-9e58-7aff85885bd9
devices:
  eth0:
    name: eth0
    nictype: macvlan
    parent: enp4s0
    type: nic
ephemeral: false
profiles:
- default
stateful: false
description: ""

container xoce has an ip address, assigned by the router:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
19: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:98:07:9f brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.0.164/24 brd 192.168.0.255 scope global dynamic eth0
       valid_lft 516sec preferred_lft 516sec
    inet6 fe80::216:3eff:fe98:79f/64 scope link 
       valid_lft forever preferred_lft forever

it works

root@xoce:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=109 time=15.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=109 time=14.8 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 14.797/14.924/15.052/0.127 ms

Pings from router to container:

[admin@baphomet] > /ping 192.168.0.164
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                         
    0 192.168.0.164                              56  64 0ms  
    1 192.168.0.164                              56  64 0ms  
    2 192.168.0.164                              56  64 0ms  
    3 192.168.0.164                              56  64 0ms  
    4 192.168.0.164                              56  64 0ms  
    5 192.168.0.164                              56  64 0ms  
    sent=6 received=6 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms 

[admin@baphomet] >

Can’t ping from host to container:

marduk pts/2%ping 192.168.0.164                                                                        [~/J/36 16:15 Tue 13] 
PING 192.168.0.164 (192.168.0.164) 56(84) bytes of data.
^C
--- 192.168.0.164 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1019ms

What’s wrong and how to fix it?

2

This is expected behaviour of macvlan (and ipvlan) NIC types and is enforced by the Linux kernel and not LXD.

See https://linuxcontainers.org/lxd/docs/master/reference/devices_nic/#nic-macvlan for an explanation of this limitation.

If you need host<->instance communication then you should use a bridged NIC connected to an unmanaged bridge that has your external interface added to it.

See https://blog.simos.info/how-to-make-your-lxd-containers-get-ip-addresses-from-your-lan-using-a-bridge/ and https://netplan.readthedocs.io/en/stable/examples/#how-to-configure-network-bridges on how to create an unmanaged bridge.

2 Likes